You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Gary Benson <gb...@redhat.com> on 2001/12/21 16:27:09 UTC

[bug] 404 served instead of 401

Hi,

I found a bug whereby Apache 1.3.22 inconsistently handles the interaction
between aliases to non-existant paths and authentication. If the alias is
specified as an absolute path then a 401 is always served, but if the
alias is a relative path then in some cases a 404 will be served.

I don't see this as a security threat -- "an attacker could see that
you are dozy and have specified non-existant paths" doesn't really
instill fear -- but it nevertheless is leaking information which it
probably shouldn't.

To test it for yourselves, take one apache-1.3.22 tarball, configure,
make and make install. I did it in /usr/local/apache, so you'll
probably want to sed the patch if you try it somewhere else.

 $ cd /usr/local/apache
 $ patch -p0 < httpd.conf.patch	# attached
 $ mv htdocs/manual .
 $ ln -s nowhere htdocs/broken
 $ bin/apachectl start

Finally, run test.sh. An annotated version of its output is as
follows:

 * Not an alias and not present in the docroot
    http://localhost:8080/Xmanual  401
    http://localhost:8080/Xmanual/ 401

 * Alias to an existing path
    http://localhost:8080/0manual  401
    http://localhost:8080/0manual/ 401

 * Aliases to non-existant relative paths
    http://localhost:8080/1manual  401
    http://localhost:8080/1manual/ 404    <<<<<<

    http://localhost:8080/2manual  404    <<<<<<
    http://localhost:8080/2manual/ 404    <<<<<<

    http://localhost:8080/3manual  404    <<<<<<
    http://localhost:8080/3manual/ 404    <<<<<<

    http://localhost:8080/4manual  401
    http://localhost:8080/4manual/ 404    <<<<<<

 * Aliases to non-existant absolute paths
    http://localhost:8080/5manual  401
    http://localhost:8080/5manual/ 401

    http://localhost:8080/6manual  401
    http://localhost:8080/6manual/ 401

    http://localhost:8080/7manual  401
    http://localhost:8080/7manual/ 401

    http://localhost:8080/8manual  401
    http://localhost:8080/8manual/ 401

 * Aliases to a relative path to a broken symlink
    http://localhost:8080/9manual  401
    http://localhost:8080/9manual/ 404    <<<<<<

    http://localhost:8080/Amanual  404    <<<<<<
    http://localhost:8080/Amanual/ 404    <<<<<<

    http://localhost:8080/Bmanual  404    <<<<<<
    http://localhost:8080/Bmanual/ 404    <<<<<<

    http://localhost:8080/Cmanual  401
    http://localhost:8080/Cmanual/ 404    <<<<<<

 * Aliases to an absolute path to a broken symlink
    http://localhost:8080/Dmanual  401
    http://localhost:8080/Dmanual/ 401

    http://localhost:8080/Emanual  401
    http://localhost:8080/Emanual/ 401

    http://localhost:8080/Fmanual  401
    http://localhost:8080/Fmanual/ 401

    http://localhost:8080/Gmanual  401
    http://localhost:8080/Gmanual/ 401

I don't know whether you'd prefer it to return a 401 or a 404 (it
follows the alias, but the new path isn't valid, and if the new path
isn't valid then why apply directory stuff to it?) Personally I prefer
returning a 401, but that's not my choice to make. Either way, the
fact that it is inconsistent is not good.

Cheers, and Merry Christmas,
Gary

[ gbenson@redhat.com ][ GnuPG 85A8F78B ][ http://inauspicious.org/ ]

Re: [bug] 404 served instead of 401

Posted by "William A. Rowe, Jr." <wr...@covalent.net>.

From: "Gary Benson" <gb...@redhat.com>
Sent: Friday, December 21, 2001 9:27 AM


> I found a bug whereby Apache 1.3.22 inconsistently handles the interaction
> between aliases to non-existant paths and authentication. If the alias is
> specified as an absolute path then a 401 is always served, but if the
> alias is a relative path then in some cases a 404 will be served.

I believe this is most definately a feature.  IIRC, this prevents some
phantom requests from autoindex-revealing.  At least that's what I remember,
could be wrong.

Re: [bug] 404 served instead of 401

Posted by Gary Benson <gb...@redhat.com>.

On Fri, 21 Dec 2001, Rodent of Unusual Size wrote:

> Gary Benson wrote:
> > 
> > I found a bug whereby Apache 1.3.22 inconsistently handles
> > the interaction between aliases to non-existant paths and
> > authentication. If the alias is specified as an absolute
> > path then a 401 is always served, but if the alias is a
> > relative path then in some cases a 404 will be served.
> 
> I don't recall that we ever supported, nor even suggested
> that we supported, 'relative' file paths for aliases.  To
> what would they be relative?

The docroot, I suppose. But in that case, if we don't support them then 
should we not be returning 500s instead of 401s and 404s?

Gary

[ gbenson@redhat.com ][ GnuPG 85A8F78B ][ http://inauspicious.org/ ]

Re: [bug] 404 served instead of 401

Posted by Rodent of Unusual Size <Ke...@Golux.Com>.

Gary Benson wrote:
> 
> I found a bug whereby Apache 1.3.22 inconsistently handles
> the interaction between aliases to non-existant paths and
> authentication. If the alias is specified as an absolute
> path then a 401 is always served, but if the alias is a
> relative path then in some cases a 404 will be served.

I don't recall that we ever supported, nor even suggested
that we supported, 'relative' file paths for aliases.  To
what would they be relative?
-- 
#ken	P-)}

Ken Coar, Sanagendamgagwedweinini  http://Golux.Com/coar/
Author, developer, opinionist      http://Apache-Server.Com/

"All right everyone!  Step away from the glowing hamburger!"